Vulnerability reporting - the good, the bad and the ugly

A presentation at ONE Conference 2021 in in Netherlands by Simon Whittaker

Using examples from my extensive career in the security industry we will explore ways in which notifications about security vulnerabilities have changed throughout the years, this will include details of a CVE in Lenovo products which our team located and publicised responsibly and discussing how a data breach was found and reported to one of the world’s largest communications companies. We’ll explore best practice and hints and tips for a successful and responsible disclosure. We’ll also discuss how law enforcement react in these situations and ways to ensure that you don’t fall foul of legislation during the process.


The following resources were mentioned during the presentation or are useful additional information.